Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

/tmp/la.bot.arm7.elf

URLs

Name

Malicious

http:///wget.sh

unknown

Details

Name:	http:///wget.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/la.bot.arm7.elf
Source:	la.bot.arm7.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

http:///curl.sh

unknown

Details

Name:	http:///curl.sh
TargetID:	12
From Memory:	true
Current Path:	/tmp/la.bot.arm7.elf
Source:	la.bot.arm7.elf

Signature Hits	Behavior Group	Mitre Attack
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable	System Summary
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

156.244.19.135

unknown

Seychelles

Details

IP:	156.244.19.135
TargetID:	-1
Country:	Seychelles
Countrycode:	SYC
ASN number:	132839
ASN name:	POWERLINE-AS-APPOWERLINEDATACENTERHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

185.84.81.194

unknown

Germany

Details

IP:	185.84.81.194
TargetID:	-1
Country:	Germany
Countrycode:	DEU
ASN number:	8648
ASN name:	KAMP-DE
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f3235167000

page read and write

55924e8ef000

page read and write

7f3234424000

page read and write

7f3234a83000

page read and write

7ffdf7750000

page execute read

7f3235122000

page read and write

7ffdf7728000

page read and write

7f3235122000

page read and write

7ffdf7750000

page execute read

7f312c02f000

page execute read

55924f5d6000

page read and write

55924e8d8000

page execute and read and write

7f312c037000

page read and write

7f3234818000

page read and write

55924c8da000

page read and write

7f3235167000

page read and write

7f322c021000

page read and write

7f3234a83000

page read and write

55924c680000

page execute read

7f312c02f000

page execute read

55924c680000

page execute read

7f322bfff000

page read and write

7f32344b6000

page read and write

7f322bfff000

page read and write

7f3234c12000

page read and write

55924c8da000

page read and write

7f3233c1c000

page read and write

7f312c037000

page read and write

55924c8d1000

page read and write

7f3234fd5000

page read and write

7f3234fd5000

page read and write

55924e8ef000

page read and write

7f322c021000

page read and write

7f3234424000

page read and write

55924c680000

page execute read

7f312c040000

page read and write

7f322bfff000

page read and write

7f3233c1c000

page read and write

7f3234424000

page read and write

7f3235167000

page read and write

7f3234df4000

page read and write

7f32344b6000

page read and write

7f32344b6000

page read and write

7f3234818000

page read and write

7f3234c12000

page read and write

55924c8d1000

page read and write

7f3234aa6000

page read and write

55924e8d8000

page execute and read and write

7f32350fe000

page read and write

55924c8d1000

page read and write

55924e8d8000

page execute and read and write

55924f5d6000

page read and write

7f3234c12000

page read and write

7ffdf7728000

page read and write

7f312c037000

page read and write

7f3234df4000

page read and write

7f3234a83000

page read and write

7f3234fd5000

page read and write

7f3234818000

page read and write

7f312c040000

page read and write

7f312c040000

page read and write

7f312c02f000

page execute read

7f3234aa6000

page read and write

7f32350fe000

page read and write

7f322c021000

page read and write

7ffdf7750000

page execute read

7f3235122000

page read and write

7f3233c1c000

page read and write

7f3234df4000

page read and write

7ffdf7728000

page read and write

55924c8da000

page read and write

55924e8ef000

page read and write

7f32350fe000

page read and write

7f3234aa6000

page read and write

55924f5d6000

page read and write

There are 65 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
la.bot.arm7.elf

Processes

URLs

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportla.bot.arm7.elf

Processes

URLs

IPs

Memdumps

IOC Report
la.bot.arm7.elf